Hi Mike, Stefan,
Since I'm the one who brought this up, I'll try to be an advocate for why this
change is a good thing for certain users.
We are evaluating X2Go for use in an existing corporate technical compute
environment. There is a shortcoming in our current thin client solution (not
NX) and we need to identify a replacement. This environment contains hundreds
of users, hundreds of systems, dozens of applications, and an uncountable
number of scripts. X2Go is being considered against several alternatives.
Whatever solution we choose has to work within the existing environment and
support the existing workflow. Our current workflow uses a mixture of xhost and
xauth to allow xclients to connect to xservers. While "ssh -Y" may technically
be an elegant solution, requiring it would break our existing tools, processes,
and scripts. Simply put, any thin client solution we deploy has to support TCP
connections if it is to meet our requirement of not disrupting how work is
currently done.
I acknowledge that there is a security issue with TCP connections in X11, but
that is an architectural issue with X11 itself and not with X2Go per se. If the
developers of X2Go were to make TCP connections impossible then effectively the
defined security model of X11 (as documented in places like the XSecurity and
Xauth man pages) would be broken. TCP is part of how X11 works.
Once it became apparent in our testing that exporting displays didn't work as
expected, the system administrator who installed it went through the
configuration files and documentation looking for a solution. He couldn't find
one, so he escalated it to me to look into. If we hadn't been able to find a
fix it would have ruled out X2Go from further consideration, which would have
been unfortunate as it is currently our leading choice for this particular need.
Hopefully the above helps persuade you that there is a need for some users to
be able to continue to support the existing X11 security model (including TCP).
If you accept that point, then it seems there should be a more elegant way of
enabling TCP than editing the x2gostartagent file. As someone brand new to
looking at the project, files like x2goagent.options or x2goserver.conf are the
obvious places I would expect to find an option to make this change.
Thanks,
Nick
On Friday, December 6, 2013 5:16 AM, Stefan Baur
<newsgroups.ma...@stefanbaur.de> wrote:
Am 06.12.2013 13:06, schrieb Mike Gabriel:
> The default should be ,,disabled'', of course. However, I think that we
> should support people that want to use X2Go in their setup as a
> replacement for *NX*. Making something configurable and putting a big
> red warning sign above the configuration should be ok IMHO.
> Feedback?
Is there no way of assisting this user in migrating away from NX, other
than raping our codebase like that?
What's wrong with using ssh
-X / ssh -Y, which was
previously suggested
to the user?
Maybe some more information on what the user is trying to accomplish
would help us come up with a better solution.
-Stefan
_______________________________________________
X2Go-Dev mailing list
X2Go-Dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev
